5 Ways to Spot a Coerced Insider Threat

William Senich is corporate vice president for global cyber solutions at Alion Science and Technology.

The scariest part of the Office of Personnel Management data breach isn’t that hackers have the data – it’s what they plan to do with it.

The sheer amount of personal information seized, allegedly by a Chinese espionage operation, has grabbed headlines for months. We know there are nearly 22 million Americans who had their data stolen. We also now know that nearly 6 million people had their fingerprint data stolen, leading to a host of new national security issues.

While the fact that this data has been stolen is scary, the bigger question is what will the hackers do with it?

When a large corporation is hacked for personal information, it usually takes the form of recent incidents at Home Depot or Target where customers’ credit card information is stolen and used by perpetrators for fraudulent purposes. Specifically, those who stole the credit card information were making unauthorized purchases or taking out cash against the credit line.  

It is those outcomes that led the government to offer free credit reporting and protection for those involved in the OPM hack. But the motivation behind swiping the information of more than 22 million federal employees, contractors and partners could be more sinister.

There are myriad reasons why this personal information could be so valuable to foreign actors. They could use this information to spy on Americans. They could share this information with allies or sell it to terrorists. They could use this information to expose American spies abroad. They could also use this information to create new insider threats on American soil.

We typically think of insider threats as self-motivated – for instance, selling IP or national secrets for financial gain – but that is not always the case. A subset of insider threat is the “coerced threat,” where an individual has been pressured into malicious activities by a hacker who has used the threat of exposing personal information as leverage. While this is a traditionally rare form of insider threat, it is unfortunately a new reality we must be prepared for.

For example, if an individual were in financial trouble, a hacker would classify him or her as a high-value target and ply them with money in exchange for classified information. The coerced threat, in theory, would be undetectable because the employee is in good standing, trusted and not worried about as a threat internally.

The National Insider Threat Policy outlines how government agencies need to monitor for threats, and it is highly recommended all federal agencies deploy third-party software to perform instant analysis of data. However, agencies need to look beyond data analysis and become more proactive in how they evaluate employees to account for a coerced threat.

In particular, a coerced threat differs from a traditional insider threat in terms of how the threat would be identified. For traditional insider threat risk, there are traditional warning signs – reduced loyalty, lack of empathy or a pattern of poor behavior – that easily cause warning signs.

But for a coerced threat, their outward behavior will likely not change at all. This is where agencies must look out for behaviors that are normal in isolation but are cause for concern taken in totality.

Here are five behavioral indicators that could indicate an employee in good standing has been coerced.

• Remotely accesses the network while on vacation, sick or at odd times
• Works odd hours without authorization
• Notable enthusiasm for overtime, weekend or unusual work schedules.
• Unnecessarily copies materials, especially if proprietary
• Interest in matters outside the scope of their duties

If you have an employee or contractor remotely accessing the network on vacation, that may not be cause for concern. But if that same person is also working odd hours without authorization, that should raise suspicions and potentially prompt an investigation.

As federal agencies ramp up their insider threat detection over the next year, they need to always keep the notion of a coerced threat in mind. The ways insider attacks are carried out are ever-changing. That means the way insider threats are detected must as well.

(Image via Andrea Danti/Shutterstock.com)